
                         LPRng - An Enhanced Printer Spooler
                                     Introduction
                                    (Beta Release)

                          Patrick Powell <papowell@sdsu.edu>

                                      ABSTRACT

                  The  LPRng  software  is an enhanced, extended, and
               portable  version of the Berkeley LPR software.  While
               providing  the  same general functionality, the imple-
               mentation  is  completely new and provides support for
               the  following  features:  lightweight  (no  databases
               needed)  lpr, lpc, and lprm programs; dynamic redirec-
               tion  of  print  queues; automatic job holding; highly
               verbose  diagnostics; multiple printers serving a sin-
               gle  queue;  client  programs  do not need to run SUID
               root;  greatly enhanced security checks; and a greatly
               improved permission and authorization mechanism.

                    Introduction             The  evolution  started in 1986
                                             at  the University of Waterloo,
             Print  spooler  software  is    where the original 4.3 software
          one  of  the  most  common  and    was   modified   to  support  a
          heavily used system application    variety  of  new printers.  Due
          programs.   While  printing may    to restrictions with the origi-
          appear to be simple on the sur-    nal  AT&T and Berkeley software
          face, in practice it is compli-    license   these   modifications
          cated  by  the  following prob-    could  not be distributed.  The
          lems.   Each  model  of printer    problems   encountered   during
          has a peculiar set of interface    this   process   led   to   the
          and  format  requirements; this    development  of the PLP (Public
          means that the printer software    Line  Printer) software[Pow95a]
          must  be highly configurable at    and  PLP  Version  3.0 (PLP3.0)
          the   device  interface  level.    was  released in 1988.  The PLP
          Next,  multiple  users may want    software architecture was based
          to share the same printer; this    on  the  the original LPR code,
          leads  to the need for a spool-    but  with  highly verbose diag-
          ing  system with the associated    nostics  and  a  much more ela-
          problems  of  priority and fair    borate  set  of  administration
          use.   Printers  are  notorious    functions.
          for  failing  at the most inop-       From  1988  to  1994 various
          portune   times;  the  spooling    sites  and administrators modi-
          software    needs   to   report    fied  and  extended  the PLP3.0
          failures  and to reconfigure or    software.     The   plp@iona.ie
          repair  the  system in a simple    mailing list was formed to dis-
          manner.   Finally, the software    tribute  and  coordinate  these
          should  be portable so that the    changes,  and  in  1994 a major
          same  software  can  be used on    programming  effort  by  Justin
          different systems; in a network    Mason <jmason@iona.ie> restruc-
          based  system  this  introduces    tured    the    PLP3.0    code,
          the  problems  of  security and    integrated   the   majority  of
          authentication.                    extensions,
             The       LPRng      Printer    and   PLP4.0  was  released  in
          Spooling[Pow95]  software  is a    1995.
          descendant  of the 4.3 BSD Line       Problems    with   the   PLP
          Printer     Spooler    Software    software  were discussed in the
          (LPR),[Cam94]  but  has totally    plp@iona.ie   mailing  list  as
          redesigned  and  reimplemented.    well    as    various    USENIX


          LPRng - Introduction                                            1






          newsgroups.   Given the current    possible.
          network     security    issues,       These  considerations led to
          client/server   based  applica-    the  design  and development of
          tions,  and growing administra-    the  LPRng  software.  While it
          tion   problems,   the   PLP4.0    is  a  totally  new  design and
          software needed extensive revi-    implementation    of   spooling
          sions.    There   was   general    software,  it uses routines and
          agreement   on   the  following    support   code  from  the  Free
          design goals.                      Software  Foundation  GNU  Pro-
             First,  run time diagnostics    ject,  and is distributed under
          and  detailed  error  reporting    the         GNU        Copyleft
          were  essential  and  should be    License.[GNU91]    The    LPRng
          the   highest  priority.   When    software    was   intentionally
          problems    occur   users   and    designed  to  use  as  few non-
          administrators   must   quickly    portable     or    non-standard
          diagnose    the   causes,   and    Operating  System facilities as
          obtaining information is essen-    possible,  or  to use them in a
          tial.  Next, the user interface    highly  controlled and portable
          to   the   printing  facilities    manner.   The  use  of  the GNU
          should change as little as pos-    utilities  such as autoconf and
          sible.  This would allow a gra-    Gnumake  allow operating system
          dual evolution from LPR and PLP    dependent  versions  of various
          to  the  new  software  with as    support routines to be selected
          least surprises to the users as    at compile time in an automatic
          possible.   However, the admin-    manner.
          istrative    interface    could       The  following sections dis-
          change,  and  many improvements    cuss  the  overall architecture
          and changes were suggested.  It    of the LPRng software, and then
          was   essential  that  the  new    deal with the major components.
          software  be  compatible at the    The emphasis of this discussion
          network  interface  level  with    are  the added functionality or
          other  implementations  of  the    differences   of   LPRng.   The
          LPR spooling software. While in    LPRng   configuration  informa-
          1990 the RFC1179 - Line Printer    tion,    extensions    to   the
          Daemon   Protocol[McL90]  docu-    printcap  database, and changes
          menting the network protocol to    to  the  lpr  and  other client
          be  used to transfer print jobs    programs   is  discussed.   The
          and  status information between    operation   of  the  job  spool
          line  printer spooling programs    queues  and  the  new algorithm
          was   published,  many  of  the    used  for  job printing is then
          existing implementations do not    covered,    together   with   a
          conform to RFC1179 or have made    description   of   the   filter
          extensions  to  the  RFC.   The    interface  mechanism.  Security
          existing  LPR  and PLP software    and  associated  problems  with
          uses  a  set of filter programs    SETUID ROOT programs is briefly
          to    interface    to   various    discussed,  and  the summary at
          printers.   A  major concern of    the  end lists some outstanding
          administrators  was  that these    issues.
          vintage  filter programs should
          be    usable   with   the   new
          software.   Finally,  the  long
          list  of  security, administra-
          tion,  and  networking problems
          should  be eliminated if at all


          2                                            LPRng - Introduction






            LPRng Software Architecture      authentication    the   servers
                                             carry  out requested activities
             The LPRng software architec-    on  files and/or provide status
          ture is shown in Figure 1.         information.  The configuration
          While   LPRng   is  similar  in    and  printcap databases provide
          structure  to  the Berkeley LPR    the  information needed by both
          software,  it  differs  in many    server   and  client  programs.
          important  details.  The dashed    While   clients   do  not  need
          lines  indicated  TCP/IP  based    access  to  the  printcap data-
          communication  between two pro-    base,  in  many  cases  a  runt
          grams;  solid  lines  represent    database  is useful for provid-
          access to files or directories.    ing    printer    configuration
          Boxes   with   dotted  outlines    information.
          represent databases that may be       As  in the LPR software, the
          accessed   by   all   programs,    lpd  server manages one or more
          either  as  files  or  by using    spool  queues  where print jobs
          network  facilities.   The user    are   stored.   These  are  are
          programs   such  as  the  print    implemented as directories in a
          spooler    lpr,    the   status    file  system.  A print job con-
          reporter  lpq,  the job remover    sists  of a control file, which
          lprm,  and  the control program    contains  user  information and
          lpc  are  client programs which    printing   options,   and  data
          connect  to  one  or  more  lpd    files  which contain the actual
          server  processes using TCP/IP.    information  to  be printed.  A
          After       validation      and    spool  queue can be a bounce or

          _________________________________________________________________
                    LPRM | | LPQ|    | LPC|              ________
                    |____| |____|    |____|              t2 serverFilters
                                                        .|_(LPD)_|
                            __  _             _       ..         ..
                 _____     _____               _____ .           ________
                   LPR|___   LPD|_____________   LPD|            |.of   |
                 |    |  _ |    |            _ |    |            |______|
                 |____     |____               |____             ________
                  .|          |                   |               .bp   |
                ...         .|..                .|..             |.     |
               .   ..     ..     ..           ..     ..          |______
               file .     . t1@h1 .           . t2@h2 .          _.______
               .....       .. .. .             .. .. .           |.if   |
                                                                 |______|
                     /usr/export/LPD/t1     /usr/spool/t2         .
             Databases   __________          __________           .
            ..config...  |cfA003h1_|_        |cfA001h1_|_        ________
            ...........     dfA003h| |          dfA001h| |        |lp   |
            ...........    |_________|         |_________|      (/dev/lp)
            .printcap..    |dfB003h1_|          hfA001h1         |______
            ...........              |       __________
            permissions  __________         cfA006h2.com
            ...........  |cfA004h1_|_        |_________|om
                            dfA004h| |         |_________|
                           |_________|                   |
                   Figure 1:  LPRng Spooling Software Architecture



          LPRng - Introduction                                            3






          forwarding  queue,  which  tem-    user  is  authorized  to  use a
          porarily   stores   print  jobs    facility;  authorization can be
          before  they are transferred to    based on originating host, user
          another queue, or a print queue    name,  and  a  variety of other
          which    has    an   associated    attributes.
          printer.                              After  a  job is placed in a
             Operation  of a spool queues    print   queue,  lpd  creates  a
          is controlled by information in    server  process  to  manage the
          the  spool queue printcap entry    printing    operations.    This
          and the printer control file in    server process then creates the
          the spool directory; individual    necessary    filter   processes
          print  job  may also have a job    which  interface to the printer
          control file as well.              hardware.   The  data files are
             Jobs  are  submitted  to the    passed  through  the filters to
          lpd  server  by the lpr program    the actual printer.
          which  transfers the job over a
          TCP/IP   connection.   The  lpd       Configuration Information
          server then forwards the job to
          another  server  or  print  it.       Configuration information is
          The  lpq  program  requests and    used  by both the LPRng clients
          prints  job status information,    and the lpd server.  The confi-
          and  the  lprm  program removes    guration  information  controls
          jobs from the spool queue.  The    the  network  behavior  of  the
          LPRng  software  uses a permis-    programs, and provides a set of
          sions database and the printcap    default  for commonly specified
          information  to  determine if a    system   information.   Compile

          _________________________________________________________________
           # compile time only:
           #client_configuration_file /etc/lpd.conf:/etc/lpd_client.conf
           #server_configuration_file /etc/lpd.conf

           default_printer          t1
           default_host             %H
           default_banner_printer   /usr/local/bin/lpbanner
           lockfile                 /usr/spool/LPD/lpd.lock
           logfile                  /usr/adm/lpd.log
           #lpd_port                printer
           lpd_port                 4000
           originate_port           721 731
           user                     daemon
           group                    daemon
           #printcap_path           /etc/printcap:/usr/etc/printcap
           printcap_path            /tmp/LPD/printcap.%H
           #printcap_path           |/tmp/LPD/pcserver
           #printer_perms_path      /tmp/LPD/printer_perms.%H
           #printer_perms_path      /etc/printperm:/usr/etc/printperm
           printer_perms_path       /tmp/LPD/printer_perms.%H
           #print_perms_path        |/tmp/LPD/permserver
           use_info_cache           yes
           # include facility
           include                  /tmp/LPD/common.conf
                       Figure 2:  Configuration Database Format



          4                                            LPRng - Introduction






          time defaults can be overridden    (the  printer alias in the net-
          by  values  read  from a confi-    work service database); by set-
          guration  file, whose format is    ting  it  to  some other port a
          shown in Figure 2.                 test  version  can  be  run  in
             In  all LPRng database files    parallel     with    production
          leading    whitespace,    blank    software.
          lines,  and  lines  whose first       The   originate_port   value
          non-whitespace character is a #    specifies  a  range  of  TCP/IP
          are  treated  as  comments  and    port  numbers  for  originating
          ignored;  a \ as the last char-    connections.  RFC1179 specifies
          acter  of  a  non-comment  line    that  these  connections should
          will  logically  continue  this    originate  from port 721 to 731
          line  to the next line, replac-    inclusive;    in    most   UNIX
          ing  the  \  with  one  or more    environments      these     are
          spaces.                            privileged  ports and cannot be
             Each  line of the configura-    used   unless   the   program's
          tion  file  has a configuration    effective  UID is ROOT (0).  On
          variable  and  its  value.  The    a  UNIX  system,  if the client
          client_configuration_file   and    software  is  not  SETUID ROOT,
          server_configuration_file          then  only  the  ROOT  user can
          values are used only at startup    successfully    bind    to    a
          and initialization, and specify    privileged  port.  See Security
          the configuration files for the    Considerations  for  details on
          LPRng  client  and  lpd  server    problems  this may expose.  The
          programs.   Each  of the confi-    user  and group entries specify
          guration   files   is  read  in    the  effective  user  and group
          sequence  and  variable  values    IDs  to  be  used  by  the  lpd
          are  updated  as  the files are    server.   For this to be effec-
          read.                              tive,  the  lpd  server must be
             Much  of  the  configuration    SUID  root  or  be started by a
          information    provides    site    root process; see Security Con-
          dependent information or allows    siderations for details.
          configuration for testing.  The       The           printcap_path,
          default_printer   and  default_    lpd_printcap_path,          and
          host  variables set the default    printer_perms     configuration
          printer  and host to be used by    information   specifies   where
          client  software; the %h and %H    database  information  will  be
          strings  are  replaced with the    found.   All  programs  use the
          short or fully qualified domain    printcap_path,              and
          name  of  the host on which the    printer_perms  information; the
          software   is   running.    The    lpd   server   will   use   the
          default_   banner_printer  sets    lpd_printcap_path   information
          the   default  banner  printing    after  the printcap_path infor-
          program  to  be used by the lpd    maiton.    The   use_info_cache
          server;  the  lockfile and log-    option allows the lpd server to
          file are used by the lpd server    read  the  information  once at
          to   prevent  multiple  servers    startup  and  then use a cached
          from  running and to record lpd    copy  of  this  information, as
          logging information.               does the inet.d server.  If lpd
             The lpd_port variable speci-    receives  a  SIGHUP  signal  it
          fies  the  TCP/IP port on which    rereads  the  database informa-
          the   lpd  server  listens  for    tion.   Finally, it is possible
          client requests.  In production    to  use the include facility to
          versions  this  is  usually 515    read  additional  configuration


          LPRng - Introduction                                            5






          files.   This  facility  may be    need  only  the lpd server host
          removed  in  later  releases of    name  and target printer on the
          the LPRng software.                server.   This can be specified
                                             on  the  command line using the
                Printcap Information         `-Pprinter' or `-Pprinter@host'
                                             option; if no default is speci-
             Entries   in   the  printcap    fied   in   the   configuration
          database  define  spool  queues    information  the  local host is
          and  their configuration avail-    the  default  server  host.  In
          able  to  the  LPRng  software.    Figure  3a, the simple printcap
          Figures 3a and 3b show a set of    entry  p1  means  printer p1 on
          client   and   server  printcap    the  default host; entry p2 has
          database entries.  Leading whi-    has  two  aliases,  the last of
          tespace, blank lines, and lines    which  is  really a comment and
          whose  first  character  is `#'    will  be  used  when displaying
          are ignored.  For compatibility    status information.
          with    the    historical   LPR       The  lp  (line  printer) tag
          printcap  format,  \ at the end    specifies the printer device or
          of a line appends the next line    host.  The form lp=printer@host
          to the current line.               is  printer  on  host; the form
          _______________________________    lp=printer@host%2000  indicates
           # printer p1@'local host'         the  lpd server is available on
           p1                                port  2000.   This last form is
           # remote printer                  extremely  useful  when running
           p2                                multiple  versions  of  spooler
             |full|double|rotate             software, and for connecting to
             |twosided|XDR Line Printer      network   based  printers  with
             :lp=p2@host                     specialized   needs.    A  file
           # remote printer alternative      pathname  such as lp =/dev/ttya
           p3:rp=p3:rm=host                  specifies  a  printer device to
           # connect to port 2000            be used by the server; the form
           p4:2000%host                      lp=host%2000   indicates   port
           # all entry (lpq -a)              2000  on  host is network based
           all:all=p1,p2,p3                  printing device.
          Figure   3a:   Client  Printcap    _______________________________
             Examples                         # Server/Client Printcap Database
          _______________________________     # file: /etc/printcap
             A printcap entry consists of     # clients see p1 as remote pr
          a  primary  name followed by an     # server use sd tag to get
          optional  set  of aliases, fol-     #  /usr/spool/LPD/p1/printcap
          lowed  by  an  optional  set of     p1
          variable  tag names and values.       :cm=Test Printer 1
          The primary name is the name by       :sd=/usr/spool/LPD/p1
          which  the  printer is referred       :lp=p1@host
          to in error messages and status     # second printer,
          information.   The  | separator     p2
          starts an alias entry and the :       :sd=/usr/spool/LPD/p2
          separator  starts  an  variable       :tc=common
          entry;  entries  extend  to the     # common information
          end of line or the next separa-     common:
          tor   character;   leading  and       :lf=log
          trailing  in  each  entry  whi-       :rw
          tespace is ignored.                   :of=/tmp/LPD/psof
             The  LPRng  client  programs       :if=/tmp/LPD/psif


          6                                            LPRng - Introduction






           # Printer specific information    printcap  database  file can be
           #   used by server,               used.
           # file: /usr/spool/LPD/\             A major administration prob-
           #        p1/printcap              lem   is  the  distribution  of
           # Alternately, this information   printcap    information.    One
           # could be part of the            solution  is  to  use a network
           #   /etc/lpd_printcap file        database  such as Sun Microsys-
           p1                                tems  NIS, HESIOD, Sybase, etc.
             # override previous value       Rather than build in a specific
             :lp=/dev/ttya                   database   access   method  the
             :lf=log                         LPRng software uses the concept
             :rw                             of  database  filters to access
             :of=/tmp/LPD/psof               the  information.  In Figure 2,
             :if=/tmp/LPD/psif               the configuration printcap_path
           # debug                           value |/tmp/LPD/dbserver speci-
           #   :db=9,remote=10               fies  using a filter program to
           # autohold                        get printcap information.
           #   :ah                              The    filter   program   is
          Figure    3b:     Server/Client    started by the client or server
             Printcap Examples               process and a string containing
          _______________________________    the   name   of   the   desired
             More printcap information is    printcap  entry  is sent to the
          needed  for  the lpd server, as    filter's    stdin   port;   the
          is  shown  in Figure 3b.  Spool    returned  printcap  information
          queues  have  printcap  entries    is   read   from  the  filter's
          with  a  sd  (spool  directory)    stdout  port.  By convention, a
          tag.   The tc tag (recursively)    all  request returns either all
          appends a printcap entry to the    the available printcap entries,
          end of the referencing entry.      or  an all printcap entry whose
             The lpd server checks to see    all  tag  contains  a  list  of
          if  a  printcap  file is in the    available printers.
          spool  directory, and will read       The  Sun NIS database can be
          the  printcap  information from    access  by using a simple shell
          this file, overridding existing    script and the ypmatch program;
          information.    This  allows  a    HESIOD, DBII, Sybase, and other
          single master printcap database    databases  can  be supported in
          to  be used by both clients and    the same manner.
          servers; the clients ignore the
          sd  tags  and  the  server gets             Job Submission
          printer   specific  information
          from  the  printcap file in the       The  lpr client program sub-
          spool directory.                   mits  jobs to the lpd server by
             In addition, the oh (options    simply  using  a TCP/IP connec-
          for  host) entry can be used to    tion  and  sending the files to
          specify that the printcap entry    the  server.  The only informa-
          is used only by a host whose IP    tion  the  client  needs is the
          address  matches the IP address    printer  and  hostname, and can
          of  the entry.  For example, if    run as a user application.
          oh=dickory.sdsu.edu,  then only       If  the  printer  output  is
          hosts  with the same IP address    piped  to  the lpr client, then
          as  dickory.sdsu.edu  would use    RFC1179 allows the output to be
          the  printcap  entry.  By using    directly copied from the client
          the  oh  entry  in  the  server    to  the server by using the lpr
          printcap    entry    a   single    -k  (for seKure) option.  While


          LPRng - Introduction                                            7






          LPRng   supports  this  option,    the   root   permissions,   and
          many other LPR server implemen-    operates  as  an  ordinary user
          tations are defective or do not    program.
          support  this capability.  This       Several  of  the vintage lpr
          is  useful  when creating large    options  such  as the `-s' (use
          jobs,  or there is are security    symbolic    links)   and   `-r'
          related  problems with creating    options  (remove  on  printing)
          a  temporary file on the client    are not supported; the symbolic
          host.                              link  option  has  no effect as
             The LPRng clients can run as    files  are transferred directly
          ordinary  user processes; elim-    to  the  server, and the remove
          inates  any problems with unau-    option has caused more than one
          thorized  access  to  files, as    user  to accidentaly delete the
          the  client  has  no permission    files that he wanted printed!
          except those of the user.
             However,  for the lpr client    Permissions  and  Authorization
          to  be  compatible with vintage       Checking
          LPR  spooling  software  (i.e.-
          SUN Microsystems), it must ori-       One  of  the requirements of
          ginate   a  connection  from  a    any  printer spooling system is
          privileged port.  For this rea-    to  deny access to unauthorized
          son,  when run as a SETUID ROOT    users  and to record accounting
          program, after making a connec-    information    for   authorized
          tion to the the server, the lpr    users.  The LPRng software uses
          client  uses  setuid(2) to drop    a  rather elaborate permissions

          _________________________________________________________________
                                    Spool Print
          SERVICE     S     'X'     'R'   'P'    'Q'  'M'   'C'
          USER        S             JUSR  JUSR        CUSR  CUSR
          HOST        S     RH      JH    JH     RH   JH    JH
          IP          IP    RIP     JIP   JIP    RIP  JIP   JIP
          PORT        N     PORT    PORT         PORT PORT  PORT
          REMOTEUSER  S             CUSR         CUSR CUSR  CUSR
          REMOTEHOST  S     RH      RH    JH     RH   RH    RH
          REMOTEIP    IP    RIP     RIP   JIP    RIP  RIP   RIP
          PRINTER     S             PR    PR     PR   CPR   CPR
          SAMEHOST                  SH                SH
          SAMEUSER                  SU                SU
          KEY:
             CUSR user name in connection
             JUSR user name in control file
             RH   connecting host name
             RIP  connecting host IP
             PORT connection origination port
             JH   host name in control file
             JIP  IP address of JH
             SA   Same Host    JIP == RIP
             SU   Same user    JUSER == CUSER
          Match: S = string with glob wild card, IP = IPaddress[/netmask],
             i.e.- x.y.z.w/a.b.c.d or x.y.z.w/N where N is length of mask
             N = low[-high] number range; NOT negates the test status
                           Figure 4:  Permission Attributes



          8                                            LPRng - Introduction






          and   authorization  mechanism,    result  and a list of attribute
          similar  to  the  ones  used by    names and match patterns.  Per-
          computer network firewalls.        missions  checking  is  done by
             Since  all  spooling  opera-    scanning the database in order,
          tions  are  carried  out by the    checking each line for a match.
          lpd server, it is the only pro-    If  all  the  entries  on  line
          cess that needs to perform per-    match,  then  the result is the
          missions  checks.   Permissions    match  result  for  the line or
          are  checked  when a connection    the current default.  Note that
          is  made  to  the  server,  and    each  entry  can  have  several
          before  the server performs and    alternate  patterns; these pat-
          action  or provides information    terns  are tried in order until
          requested by the various client    a match is found.
          programs.    In  addition,  the       The  default_permission con-
          server  checks  job permissions    figuration  variable  specifies
          before  it prints a job as well    an initial (default) permission
          as  when  the job is submitted.    database entry; additional per-
          This  allows  NFS based printer    mission databases are specified
          spooler  software, which copies    by  the printer_perms_path con-
          control and data files directly    figuration    variable.    When
          to  a  spool  directory,  to be    checking   permissions   for  a
          used  with  the LPRng software.    spool   queue   with   printcap
          See the Security Considerations    entry, the xu printcap tag pro-
          section  for  a  discussion  of    vides   an  additional  set  of
          problems  related  to  allowing    databases  to  be  searched  as
          this type of activity.             well.    One  of  the  database
             Each request for service has    entries  can be a filter, which
          a set of attributes and values;    is     invoked     with     the
          a  list  of these attributes is    filter_options specified in the
          shown  in  Figure  4.  Figure 5    configuration database, and has
          shows   a   sample  permissions    the name of the printer written
          database.   Each  line  in  the    to  its  standard  input.   The
          database  consists  of  a match    filter   options   include  the

          _________________________________________________________________
           # Reject connections not in our subnet
           REJECT SERVICE=X NOT IP=130.191.0.0/255.255.0.0
           # Allow root on trusted hosts or server
           # to have control and removal capability
           # and users on the same host to remove their jobs
           ACCEPT SERVICE=C,M HOST=hop.sdsu.edu,skip.sdsu.edu \
               PORT=721-731 USER=root
           ACCEPT SERVICE=C,M SERVER USER=root
           ACCEPT SERVICE=M SAMEUSER SAMEHOST
           REJECT SERVICE=C,M
           # do not allow forwarded jobs from anybody but dickory
           ALLOW SERVICE=R NOT SAMEHOST HOST=dickory.sdsu.edu
           REJECT SERVICE=R NOT SAMEHOST
           # Allow PC lab to spool to laserwriter
           ACCEPT SERVICE=R,P,Q PRINTER=lw4 HOST=*.eng.sdsu.edu
           # if no match in other database then you fail
           DEFAULT REJECT
                        Figure 5:  Sample Permissions Database



          LPRng - Introduction                                            9






          print  job user name, which can       Spool Queues and Job Files
          be used to search a database to
          determine  if the user has per-       The main activity of the lpd
          mission  to access a file.  The    server  is centered on managing
          filter  output  is  used  as an    print jobs in the spool queues.
          additional  permission file for    A  print job consists of a con-
          permissions checking.              trol  file, containing user and
             If  no  match is found after    other   information,  and  data
          searching  all  specified data-    files  containing  the informa-
          bases  then  the last specified    tion  to  be printed.  The con-
          default   permission   will  be    trol  file  format is specified
          used.                              by  RFC1179;  a sample job con-
             Permission   attributes  are    trol file is shown in Figure 6.
          treated  as string, integer, or    Control  file  names  have  the
          IP  address values.  The string    format cfXnnnHOST, where X is a
          patterns  are based on the sim-    letter,  nnn  is  a 3 digit job
          ple glob patterns of the Bourne    number,  and  HOST  is  a  host
          and  C  shells,  and  use  case    identifier.   Data  files names
          insensitive  matching with only    have   the  format  dfXnnnHOST,
          the * metacharacter.  For exam-    where  X  is  a letter, and nnn
          ple, the pattern A*b will match    and  HOST  are identical to the
          Ab,  and  AthisB.   IP  address    corresponding control file.
          patterns  are an address (ADDR)    _______________________________
          followed by an optional netmask     Ppapowell
          (NM)    which    defaults    to     J(stdin)
          255.255.255.255;    the   match     CA
          succeeds  if  (using C language     Lpapowell
          notation) (IP^ADDR)&NM is zero.     Qt1
          For    example,   the   pattern     fdfA917taco.sdsu.edu
          130.191.163.0  /  255.255.255.0     N(stdin)
          matches all of the addresses in     UdfA917taco.sdsu.edu
          the 130.191.163.0 subnet range.      Figure 6:  Job Control File
          The  netmask can also be speci-    _______________________________
          fied by the number of most sig-       Control  file lines starting
          nificant  non-zero  bits.   For    with  an upper case letter pro-
          example,                           vide   information   and  those
          130.191.163.0/255.255.255.0 and    starting    with   lower   case
          130.191.163.0/24  are  the same    letters  specify a format and a
          address/mask    pair.    Number    data  file  to  be printed with
          patters are a low to (optional)    the format.  For example, the P
          high integer range.                (person)  and  H  (host)  lines
             The  special  pattern  char=    give  the  originating user and
          pattern  matches  the char line    host name; the I (indent) and L
          in the job control file against    (banner  name)  are  used  when
          pattern.       For     example,    printing the job.
          C=A*,B*,C*  will  check  the  C       The  LPRng  software extends
          (class)  information line for a    the  basic RFC1179 control file
          string  starting  with A, B, or    entries  by  adding  Z  (output
          C.   The  special  pattern NULL    filters  options) and Q (origi-
          matches  missing or no informa-    nal queue).  The value of these
          tion;  for  example the permis-    options   are   passed  to  the
          sions  entry  ALLOW SERVICE=R,P    filters  that  format and print
          USER=NULL,*   allows  anonymous    the  data  files.  For example,
          job spooling and printing.         Figure 3a shows an example of a


          10                                           LPRng - Introduction






          printcap    entry   (p2)   with    server  to  transfer  all spool
          several  aliases.  The lpr com-    jobs  to  the  specified remote
          mand     lpr     -Q    -Pdouble    printer.    When   autohold  is
          -Zheavy_paper   will  create  a    enabled,  the  server  will not
          control  file  with the Qdouble    process  a  jobs  until  it  is
          and  Zheavy_paper  entries  and    released  by a request from the
          sends  it  to  the  p2 printer.    lpc  program.   The printcap ah
          The output printing can use the    flag  can  be used to set auto-
          Q and Z entries to select vari-    hold on by default.
          ous paper and format options.      _______________________________
                                              spooling_disabled 1
               LPD Server Operations          debug 10,remote=5,log=/tmp/log
                                              redirect  p3@mentor
             The lpd server creates queue     autohold  off
          server  process  for each spool     class     A,B
          queue,  and then waits for con-     Figure 7a:  Spool Control File
          nections  from  clients.   Each    _______________________________
          time   a  request  arrives  the       The  class  entry  restricts
          server  will  create a new pro-    the   printable   jobs  to  the
          cess  to  handle  the requests.    specified class.  This facility
          The  max_servers_active  confi-    allows   special  forms  to  be
          guration  variable  can be used    mounted  on  a printer and only
          to  limit  the number of active    jobs  which  need  them  to  be
          servers.  The queue server pro-    printed.   The  special pattern
          cess  uses  the  printcap entry    char=patterns  restricts print-
          information  and  a set of con-    ing to jobs with a control file
          trol  files in the spool direc-    line  starting  with char which
          tory  to control its activities    matches  pattern.  For example,
          and  report its actions (Figure    P=accounting  could  be used to
          1).   In  the discussion below,    restrict  printing to jobs from
          printer  is stands for the pri-    the accounting user.
          mary  printer  name;  all files       The  debug  entry is a diag-
          are   in  the  spool  directory    nostic  and  testing  aid.  The
          unless otherwise indicated.        set of options are used used by
             The    Server    lock   file    the server to enable or disable
          (printer)  is  used  to  ensure    specific   testing   functions.
          that only one server process is    For  example,  10,remote=5,log=
          active  at  a  time.  The spool    /tmp/log  specifies  a  general
          control  file (control.printer)    debugging  level of 10, setting
          has  the format shown in Figure    the  remote flag to 5, and log-
          7a, and controls one or more of    ging to the /tmp/log file.
          the spool queue related activi-       The  lpc  (line printer con-
          ties.   Entries  in  this  file    trol)   program   is   used  to
          override defaults and values in    request   the   lpd  server  to
          the  printcap  database.  Note:    change  the  spool control file
          the  information  shown in this    values  and take other actions,
          file  may not be present at all    such  as  starting  or stopping
          times.                             server processes.  The lpc pro-
             The       control       file    gram  can also request (brutal)
          spooling_disabled and printing_    spool  server  process termina-
          disabled entries disable spool-    tion,  and  (gentle) restarting
          ing  to  the queue and printing    of spooling activities.
          from  the  queue  respectively.       The   spool  server  process
          The  redirect  entry causes the    scans the spool queue, ordering


          LPRng - Introduction                                           11






          jobs   to   be  serviced  in  a    entry indicates that the job is
          first-in,    first-out    order    being  held  by  administrative
          within priority classes.  Class    actions;  a  hold  value  of  0
          A   is   the  lowest  (default)    allows  a  job  to  be printed.
          priority, and Z is the highest.    The  lpc  hold and release com-
          When  a job is selected for for    mands  can  be used to hold and
          servicing,   the  spool  server    release jobs.
          forks  a  subserver  process to       The priority field specifies
          carry out the actual work..        an   additional  level  of  job
             The  reason for using a sub-    priority;  jobs  with  non-zero
          server process for per job ser-    priority  fields  are  serviced
          vicing  is based on experiences    before  jobs with 0 fields; the
          with  a  variety of UNIX imple-    lpc  topq  command  updates the
          mentations.    Some   of  these    priority value.
          implementations   have   memory       The  redirect  entry supple-
          leaks  or file descriptor leaks    ments  the spool queue redirect
          associated  with  various data-    information.  This entry allows
          base  and  networking routines;    individual  jobs to be moved to
          each  time a process uses these    another  spool  queue.  The lpc
          routines  they  open a new file    move    command   updates   the
          descriptor   or  allocate  some    redirect value.
          temporary    storage.    Unfor-       The remove and error entries
          tunately, these descriptors are    are  used  to  solve  a problem
          never closed the descriptors or    with defective or misconfigured
          reclaim   the  storage.   These    printing software.  After a job
          defective     functions     are    is   serviced   its  files  are
          firewalled  in a subserver pro-    removed  from  the spool direc-
          cess, which only exists while a    tory.   However,  sometimes due
          particular  job  is  processed.    to   accident  or  intent,  the
          Note  that  the  same  problems    files    cannot   be   deleted,
          exist  in the lpd server, which    resulting in the job being end-
          also   takes  care  to  isolate    lessly  printed  and preventing
          these  actions  in  a subserver    normal  operations.  When a job
          process.                           is  serviced, the job hold file
          _______________________________    is  created  and written in the
           hold       1                      spool  directory;  if  the hold
           priority   0x873486               file cannot be modified the job
           remove     1                      is not serviced.  After the job
           redirect   p4@mentor              has  been  serviced  the remove
           error      Printer timed out      field  is  set  to  a  non-zero
             Figure 7b:  Job Hold File       value;  this  prevents  the job
          _______________________________    from  being  reprinted, and the
             When  a  job is selected for    error  field  records any error
          service,  the subserver process    conditions  that  might inhibit
          creates  a  job  hold  file  to    retrying   servicing  the  job.
          record     information;     job    This  information  is displayed
          cfA001mentor   will  have  hold    by the lpq (line printer queue)
          file  hfA001mentor.   The  hold    program.   After  the job files
          file  has  the  format shown in    have  been  successful removed,
          Figure 7b.                         the server then removes the job
             The active entry records the    hold file.
          process  ID  of  the  subserver       A  bounce  queue  is used to
          process, and indicates that the    temporarily   hold  jobs  until
          job is active.  A non-zero hold    they  can  be  forwarded  to  a


          12                                           LPRng - Introduction






          remote printer.  This is useful      :if=/if_filter
          when  sending jobs to a network
          printer.   The  LPRng  software           Printing Algorithm
          lpr  and  lpd  programs use the
          same  algorithm  to  check file       On the surface, dealing with
          permissions  and  accessibility    the  printer hardware should be
          when  sending  jobs to a remote    quite  simple: the printer dev-
          printer.   Normally, data files    ice  is  opened,  the  job data
          are  not modified when forward-    files  are  sent to the device,
          ing,   but   if   the  printcap    and the printing device is then
          bq=destsystem  flag  is set and    closed.   The  actual algorithm
          there  is an appropriate format    used  by  the  lpd  server  for
          filter,  the data files will be    printing  a  job is rather com-
          processed  by the filter before    plex, in order to deal with the
          transfering  to the destination    following problems.
          system.   Note that for correct    1.  Each  printer  usually  has
          operation, the printcap lp flag        specific  requirements  for
          should  be set to the name/host        connection  and initializa-
          combination   of   the   bounce        tion,  not  to  mention the
          queue, i.e.-                           actual    transmission   of
          bqname:lp=bqname@host                  data.
            :bq=destq@host                   2.  If  the  connection  to the
            :sd=/var/...                         printer  is  a serial line,

          _________________________________________________________________
           OF = IF = LP;   // set defaults
           if( 'of' ) OF = filter( 'of' ) -> LP;
                              // make OF filter
           if( accounting at start 'as')
             do accounting;
           if( leader on open 'ld' ) `ld` -> OF;
                             // send leader
           if( FF on open 'fo' ) `fo` -> OF;
                             // send FF

           // check to see if banner required
           do_banner =
             (always banner 'ab'
               || (!suppress banner 'sb'
                 && control file 'L' ));
           if( ! header last 'hl' && do_banner ){
             BP = OF; bnr = null;
             if( banner start 'bs' ) bnr = 'bs'
             else if( banner program 'bp' ) bnr = 'bp'
             if( bnr ){
               BP = filter( bnr ) -> OF;
             }
             short banner info -> BP;
             if( BP != OF ) close( BP );
           }
           // suspend the OF filter
           if( OF != LP ) suspend OF filter;
                     Figure 8a:  Printing algorithm used by LPRng



          LPRng - Introduction                                           13






              stty(1) (or a similar func-    6  Administrators have a strong
              tion)  must  set the speed,       desire to record the printer
              format,  and  other charac-       usage  so  that users can be
              teristics.   When  a serial       billed appropriately.
              line is closed and reopened    7  Some   serial  line  devices
              the   line  characteristics       must  be  opened  in  a non-
              may   be   reset   to  some       blocking mode so that confi-
              default   value,  requiring       guration  operations  can be
              the  line  to  be held open       performed.
              throughout   the   printing       In  order  to handle printer
              process.                       specific problems, each printer
          3  The  effects  of the failure    has a set of filters or support
             printing a job job should be    programs  which provide support
             localized to that job.          for  specific  operations.  For
          4  Different  types  of  output    example   the  of  filter  will
             such    as   raster   plots,    print banners, page separators,
             PostScript    files,    text    and other high level queue con-
             files,   etc.,  may  require    trol  functions.   Files  whose
             different    handling   when    print   format  is  the  (lower
             printing.   This can be very    case)   character  ?   will  be
             device specific.                printed  using a ?f filter; the
          5  Multiple  users  may use the    programs  corresponding to each
             same  printer;  jobs need to    format   are   found   in   the
             be    carefully   separated,    printcap file.
             banner  pages  provided, and    The  algorithm used by LPRng is
             other  administrative  func-    shown in Figure 8.  It is simi-
             tions performed.                lar  to  the  original Berkeley

          _________________________________________________________________
             // send FF between files of job
             if( !first job && ! suppress FF 'sf' ){
               if( OF != LP ) wake up OF filter;
               'ff' -> OF;
               if( OF != LP ) suspend OF filter;
             }
             // get filter for job
             ?F = LP; // default - no filter
             format = jobformat;
             if( jobformat == 'f' or
               jobformat = 'l' ){
                 format = 'f';
             }
             filter = format filter from printcap;
             if( filter ){
               ?F = filter( filter ) -> LP;
             }
             // send data file to printer
             // through filter
             data file -> ?F;
             // kill filter
             if( ?F != LP ) close( ?F )
           endfor
                     Figure 8b:  Printing algorithm used by LPRng



          14                                           LPRng - Introduction






          algorithm,  but  not identical.    'nb'  printcap  entry  forces a
          Names  such  as  `of'  refer to    nonblocking  open to be done on
          entries  in  the printcap data-    a device.
          base and OF is a filter process       The   as   and  ae  printcap
          created  from the `of' informa-    entries  specify  a  filter  or
          tion;  OF  = filter('of') -> LP    format  to  be  used  to record
          means create the OF filter from    accounting  information  at the
          the   of   information  in  the    beginning   or  end  of  a  job
          printcap file, and send it out-    respectively,    and   the   af
          put to the LP filter or device.    printcap  entry  specifies  the
             While  the algorithm used by    accounting  file where account-
          LPRng  is similar to the origi-    ing information should be sent.
          nal   Berkeley  LPR  algorithm,    For  example,  for  a  230 byte
          there  are  some subtle differ-    long  job spooled to printer p1
          ences.    Before   the  job  is    by   john   on  pc1  the  entry
          printed,  it is checked for the    as=start $P $u $H $b will write
          formats  it  uses.  If there is    start  p1  john  pc1 230 in the
          no  filter available for a data    accounting   file.   The  entry
          file the job is not printed and    as=|/usr/local/psaccnt    start
          only  an  error message is gen-    will  run  the psaccnt program,
          erated.                            with   the  additional  options
             The   printing   device   is    specified by the filter_options
          opened   and  closed  for  each    configuration    variable   and
          print  job.   This eliminates a    waits  for it to terminate.  If
          set   of  problems  of  printer    the  program  terminates with a
          failure;  when  various network    non-zero  error status then the
          and  other  printers  will fail    job  will  not be printed.  Any
          printing  a file, they will not    error  message  printed  by the
          work correctly until reset by a    program  on  its  stderr output
          network  reconnection or a dev-    will be placed in the log file.
          ice  open.   In  addition,  the    The   program  stdout  will  be

          _________________________________________________________________
           if( OF != LP ) wake up OF filter;
           if( header last 'hl' && do_banner ){
             if( ! no FF separator 'sf' )
               'ff' -> OF;
             BP = OF; bnr = null;
             if( banner end program 'be' ) bnr = 'be'
             else if( banner program 'bp' ) bnr = 'bp'
             if( bnr ){
               BP = filter( bnr ) -> OF;
             }
             short banner info -> BP;
             if( BP != OF ) close( BP );
           }

           if( ff on close 'fq' ) 'ff' -> OF;
           if( trailer on close 'tr' ) tr -> OF;
           if( accounting at end 'ae') do accounting;
           if( OF != LP ) close( OF );
           close( LP );
                     Figure 8c:  Printing algorithm used by LPRng



          LPRng - Introduction                                           15






          connected   directly   to   the    filter if it is present.
          printer device or filter speci-       LPRng    can   use   vintage
          fied  by  the  lp  field.  This    filters  available  for LPR and
          allows  any specialized probing    other  spooling  systems with a
          of  the  printer  to be done by    minimum  of  changes.  The sec-
          the accounting program.  The ae    tion  on  Filters discusses how
          field  specifies  the string or    they are accommodated.
          filter to be used at the end of       LPRng    supports   multiple
          a job.  Similar action is taken    printers serving a single print
          at  the  end of a job using the    queue.   The master print queue
          ae printcap entry.                 has   a  sv=server1,server2,...
             In  addition to the account-    (servers)  printcap entry list-
          ing  done  by  the lpd program,    ing  the  server printer names;
          filters  can also do accounting    server    printers    have    a
          and  write their results to the    corresponding         ss=master
          accounting  file.   By  conven-    (serves)  printcap  entry.  The
          tion,  the  name  of  this file    master  spool queue server pro-
          will  be  passed to the filter,    cess  creates  a subserver pro-
          and  FD  3 will be connected to    cess  for  each  slave printer;
          the file.                          the  subserver  processes print
             In  addition  to  these file    all  of  the jobs in the server
          and  program  based facilities,    spool queue and then terminate.
          if  the accounting file has the    As   each   of  the  subservers
          form  af  =host%port then it is    processes  terminates, the mas-
          assumed  to  specify a host and    ter  select a job from the mas-
          port  for  a  remote accounting    ter spool queue and then create
          server.   The  lpd program will    a  new subserver process.  This
          make a connection to the speci-    subserver process will copy the
          fied  host  and  port, and then    job  to  the server spool queue
          send   the   as   string  (with    and then process the job.  Note
          expanded    options)   to   the    that print jobs can be directly
          server.          If         the    spooled  to slave spool queues,
          accounting_check  flag is TRUE,    allowing  users to send jobs to
          the  server  will  check  for a    a  server printer as well as to
          ACCEPT  reply  from the server,    the master spool queue.
          and  will  reject the job if it
          is  not  received.  The connec-    _________________________________________________________________
          tion  will be passed to filters       path arg1 arg2 $P $w $l $x $y
          as FD 3, and they can also send       Th$K $LP$cg$is\ftware  makes
          accounting  information  to the    heavy$Zu$C $Jf$Ri\ter processes
          server.                            for  $0nn$0hg$Fa$-aother opera-
             Each site usually has a dif-    tions.   A filter specification
          ferent  set of needs for banner    hExpandedoSpecification
          printing.   LPRng  has  removed     path$arg1targ2ti\nsP
          fancy bannner printing from the    Prin-PPrintert-wpwi-lpl -xpxi-ypy \
          lpd  server  to a separate pro-    usua-Kcontrolfilename|-LLogname -iIndent \
          gram.   The bp (banner printer)    indi-ZZoptionsF-CClass -JJobinfo -RRaccountname \
          program  generates a banner for    EUID-naPersonD-haHost;-FformatTaf
          a  job;  users  can  modify the    keyword  runs  EUID  ROOT.  See
          banner without modify the LPRng    SNote:tpw, pw,setc.aarenfromfprintcap entries,
          software.   Note  that  banners    detPrinter, Logname, etc. are from control file lines,
          can be printed at the beginning       otherainformationegeneratedeby server.
          and  end  of  jobs.  All banner    absolute pFiguree9:f FiltercSpecification and Expansion
          output is passed through the of    able file and the options are a
                                             set  of  options  to invoke the
                                             filter  with.   In  addition to
                                             the user specified options, the
                                             LPRng  software will append the
                                             configuration          variable
                                             filter_options           unless
                                             suppressed by the -$ flag.






             The  options are scanned for
          variable   substitutions  indi-
          cated  by $ characters.  If key
          has  a  non-zero  length string
          value  X,  then $key expands to
          -keyX,  $-key expands to X, and
          $0key  to  -key X, i.e. a space
          separating  the  key and value.
          For  a  printer  filter, if the
          data  file  format is binary $c
          expands  -c.   The substitution
          formats   allow   the  user  to
          create  interfaces  to  vintage
          printer  filters with a minimum
          of  effort; see Figure 9 for an
          example.  As a further aid, The
          printcap bkf (backwards filter)
          flag  appends a list of options
          which  are compatible with most
          vintage printer filters.
             In  addition  to the command
          line  options  filters have the
          PRINTCAP,   CONTROL_FILE,   and
          DATA_FILE environment variables
          set  to  the  printcap informa-
          tion,  control  file  contents,
          and   data   file   name  being
          printed.   This  allows filters
          to  use information in the con-
          trol  file  or printcap entries
          with   a   minimum   amount  of
          effort.
             By  convention  filters read
          input   from  stdin,  write  to
          stdout,  and  write  errors  to
          stderr.   The  error  output is
          usually  directed  to the error
          logging  file  for the printer.
          Print    filters   have   their
          current  directory  set  to the
          printer spool directory.

              Security Considerations

             Security considerations were
          a major factor in the design of
          the  LPRng  software.   Many of
          the problems center on the fol-
          lowing issues.
          1.  Users  trying  to  use  the
              printer spooler software to
              exploit bugs in the operat-
              ing  system  and  gain root
              access.
          2.  Users  trying  to  use  the
              printer spooler software to
              gain unauthorized access to
              other users files,
          3.  Users  trying to gain ille-
              gal   access   to  printing
              facilities.






          4.  Users   trying   to   avoid
              accounting procedures.
          5.  Denial of service attacks.
             The  first issue to be dealt
          with  is  the  problem  of ROOT
          permissions.  All of the client
          LPRng programs can run as ordi-
          nary  users;  this eliminates a
          large number of attacks on sys-
          tem   security   by  trying  to
          exploit  various defects in the
          system  based on SUID root pro-
          grams.   The  LPD server is the
          only  program  that  absolutely
          needs  to  run  with  real  UID
          (RUID)   ROOT   as  it  uses  a
          privileged   TCP/IP   port   to
          listen   for  incoming  connec-
          tions, and in most UNIX systems
          bind(2) requires EUID ROOT per-
          missions    to    bind   to   a
          privileged  port.   (It  is not
          recommended    that    a   non-
          privileged  port  be  used as a
          trojan  horse  user program can
          bind  to it and impersonate the
          LPRng  software.)  According to
          RFC1179   a   connection  to  a
          server  must  originate  from a
          (privileged)  port in the range
          721-731.
             Given  this  need  for  ROOT
          permissions,   the  LPRng  code
          goes   to  extreme  lengths  to
          ensure  that  only  the bind(2)





















          18                                           LPRng - Introduction






          calls  are made with EUID root,    The  method  will  be  base  on
          and  that  all other operations    using  the  filter mechanism to
          are   done   either  as  daemon    invoke  a set of authentication
          (server)  or as user (clients).    programs  rather  than directly
          It is strongly recommended that    incorporating the code into the
          the  lpd  program  not  be SUID    LPRng  software.  This allows a
          root,  but should started up by    variety  of  mechanisms  to  be
          the system initialization rc(4)    used.
          scripts or a root user.               One  of  the  arguments  for
             It  is  recommended that all    running  client  programs  SUID
          client  programs be run as user    ROOT  is that it allows them to
          (non  privileged)  jobs.   Only    connect  to  the  server from a
          files  accessible  to  the user    privileged port, and the infor-
          will  be read or transferred to    mation provided will be authen-
          the server.  If a user wants to    ticated  in  some manner by use
          access  a printer that requires    of the operating system facili-
          privileged  ports, it is a sim-    ties.  Unfortunately, the LPRng
          ple  matter  to create a bounce    software  uses  various network
          queue  on  a  server  that will    databases  to obtain connecting
          forward  a  job  to  the remote    host  information; by attacking
          system.                            the   the  system  by  spoofing
             The checkpc (check printcap)    database  (DNS)  server activi-
          program  scans the printcap and    ties,  it  is possible to forge
          permissions   databases,  spool    authentication.
          queues,  and checks permissions       The  use of NFS exported and
          of  files  and directories.  If    mounted    spool    directories
          run  by  ROOT with the -f (fix)    exposes  the  LPRng software to
          flag set, it will try to change    extreme  attack.   One  of  the
          ownerships, create files and/or    assumptions made by most spool-
          directories, and remove junk or    ing  systems  is  that only the
          old   job   files   from  spool    trusted  spooling  software  or
          queues.   This program also has    trusted   application  programs
          some  portability  tests  built    will  have  write access to the
          into  it,  and  can  be used to    spool   directory;   when   the
          check  that  the  target system    directory  is  NFS  mounted  or
          can   safely   run   the  LPRng    exported  this may no longer be
          software.                          true.  Several spooling systems
             Most  efforts  to circumvent    operate  by writing job control
          accounting    and   permissions    and  data  files  into  an  NFS
          checks  are based on forging or    mounted  spool  directory.   By
          impersonation  of  another user    appropriately  forging  network
          or  network  host.  The current    identification,    credentials,
          version  of  the LPRng software    and  various RPC calls, attack-
          depends  on  the various system    ers can create or modify unpro-
          configuration    and   database    tected  files  in  the spooling
          utilities   to   provide   user    directory.  The ability to read
          authentication    and    system    information  in  job  or  other
          authentication.      This    is    files  may  also  give them the
          clearly   inadequate,   and   a    ability  to  launch other forms
          future  release  of  LPRng will    of  attack.   One  of  the more
          support     encryption    based    malicious   denial  of  service
          authentication;   the  KERBEROS    attacks  is  to  create  a file
          and  the  PGP systems are under    that cannot be removed or modi-
          active  study for possible use.    fied;  the spooler software may


          LPRng - Introduction                                           19






          end up repeatedly attempting to    contains    information    that
          print  the file, blocking other    causes  the printer to hang and
          users   from  using  the  spool    not report the total pages used
          queue   and  consuming  printer    at  the  end  of a job they can
          resources.                         avoid   the  normal  accounting
             In   order  to  protect  the    procedures.     By    recording
          LPRng  software from NFS spoof-    information  before  as well as
          ing    based    attacks,    the    after   a  job  completes  such
          printcap   cd=directory   entry    incomplete jobs can be found.
          specifies  a  separate  control       Filters are a major security
          file  directory  to  be used by    loophole,  as  most filters are
          lpd  for  all spool queue files    shell scripts and inherit shell
          except  the job and data files.    script   vulnerabilities.    To
          This  directory  should  not be    combat this, the LPRng software
          NFS  mounted  or  exported, and    defaults to running all filters
          should reside on the local host    either  as  the user or as dae-
          file  system.   This  directory    mon,  and provides a predefined
          should  be carefully created so    and  limited set of environment
          as  to  be  accessible  only by    variables.      Some    network
          user   daemon.    Printcap  and    printer  filters need to open a
          other information can be safely    privileged  port  and must have
          placed  in this directory as it    root  permissions.   This  is a
          cannot   be   modified  by  NFS    serious  vulnerability, and the
          operations.                        lp=host%port printer specifica-
             Avoiding printing accounting    tion   has   been  provided  to
          procedures   has  long  been  a    ameliorate  this  problem.   It
          tradition at educational insti-    has   been   recommended   that
          tutions;  while minor infringe-    filters  run  as  user  nobody,
          ments are usually ignored, per-    restricting  capabilities to an
          sistent  and  blatant  offenses    even  greater  exent,  and this
          are  worrisome.   In  addition,    consideration is under study.
          once  an individual discovers a       If  it  is absolutely neces-
          method  then  it  apparently is    sary that a filter execute with
          rapidly copied by others, lead-    ROOT   permissions,   then  the
          ing  to  widespread abuse.  One    adminstrator should install the
          difficulty faced by administra-    filter   SUID  root,  but  only
          tors    is    determining   the    allowing   execution  by  group
          resources  used  by  a job.  As    daemon.  For example:
          part of the printing algorithm,     chown root $filter
          the  LPRng  software provides a     chgrp daemon $filter
          set of hooks to allow the invo-     chmod 4010 $filter
          cation  of  accounting programs       Filters  which  are actually
          before and after the actual job    shell scripts are vulnerable to
          is  printed.  For example, most    attacks using metacharacters in
          PostScript printers have a page    option   strings.    To  combat
          count  register whose value can    this,  the LPRng software ruth-
          be  easily  read  by  a  simple    lessly    purges    all    non-
          Postscript Program.  By reading    alphanumberic,  whitespace  and
          this before and after a job the    simple    punctuation   (minus,
          total usage can be calculated.     equal,   period,   slash,   and
             However,  some students have    comma)  characters  from filter
          discovered  that  by aborting a    options.  The raw option infor-
          job in the middle of its print-    mation   is  available  in  the
          ing  or  by printing a job that    PRINTCAP    and    CONTROL_FILE


          20                                           LPRng - Introduction






          environment          variables.     #  accounting files
          Administrators would be wise to       :sf=status
          examine   shell  based  printer       :af=acct
          filters  for  similar  security       :lf=log
          loopholes.                          # page information size
             Deliberate denial of service       :pl#60:pw#80:
          attacks  are  almost impossible     # you need SHORT BANNER
          to avoid.  However, heavy usage     # specify the SHORT BANNER
          of  the printer system can pro-     #  line format
          duce  almost the same symptoms.       :sb
          For   example,   when  a  large       :bl=Seq\: $-'j \
          number of print jobs are queued         Class\: \ $-'C \
          it  is  possible to exhaust the         User\: $-'n Job\: $-'J \
          spool  queue  file  space.  The         Date\: $-'t
          printcap  mx (maximum job size)     # turn FF off
          entry specifies the maximum job       :sf
          size  (in  Kbytes) to be queued     # filters
          and the mi (minimum free space)       :if=/usr/local/lib/psif
          entry   specifies  the  minimum       :of=/usr/local/lib/psof
          free space (in Kbytes) needed.     Version 2:
                                             You  want  to  have  a  special
               Example Printcap Files        banner,  so  you  specify  a BP
                                             banner printers  explicitly and
          The  following is a typical set    turn of the psof banner genera-
          of  LPRng  printcap  files that    tion.    Make   the   following
          could be used With the psfilter    changes to Version 1.
          programs.   We  assume  we  are     REMOVE:
          talking  to  a  HP  IV printer,       :sb (you want full banners)
          ecepr3, it us using a Jetdirect     ADD:
          card   which  allows  a  direct       # use new banner printer
          printer   connection   on  port       :bp=/usr/local/lib/bannerx
          9100.   We  have  installed the     CHANGE
          filter software as follows:           # pass option to filter to
          /usr/local/lib/ - directory           # turn of banner generation and
            psif - IF filter                    # pass through text
            psof - OF filter                    :of=/usr/local/lib/psof      -Tbanner=off
            bannerx -  banner printer        Version 3:
          Version 1:                         Printer  is on /dev/ttya serial
          by  default,  the  psof  filter    line.  Note:  the  stty options
          will   print   a  banner  using    are  taken from an actual func-
          information on the short banner    tioning  printer connection and
          line  and/or  parameters passed    should work for HP printer on a
          by LPRng.                          serial line).  Make the follow-
           # LPRng printcap files            ing changes to Version 1.
           # HP LaserJet 4m+                  CHANGE:
           lw4|lp|HP LaserJet 4M                :lp=/dev/ttya
           # job size information             ADD:
             :mx#0                              :sy=38400 -echo -crmod \
           # spool directory                      -raw -oddp -evenp \
             :sd=/usr/spool/cca_4mp:               pass8 cbreak ixon
           # device network address          Version  4:  you  do  not  want
             :lp=ecepr3%9100                 banner  pages at all.  Make the
             :rw                             following changes to Version 1.
           # set up status and                # LPRng printcap files


          LPRng - Introduction                                           21






              ADD:                           following people (in alphabeti-
              # suppress all header info     cal order) contributed:
              :sh                            Dave Alden
                                                 <alden@math.ohio-state.edu>
            Summary and Acknowledgments      Julian Anderson
                                                      <jules@comp.vuw.ac.nz>
             The LPRng software continues    Jan Barte
          to  evolve  as users find prob-            <yann@uni-paderborn.de>
          lems  and  develop new printing    Baba Z Buehler
          requirements.  One of the areas            <baba@beckman.uiuc.edu>
          to  be  pursued  is  the use of    Lothar Butsch
          encryption   for   end  to  end             <but@unibw-hamburg.de>
          authentication   of  users  and    David M Clarke
          print  jobs.  Another is adding         <dmc900@durras.anu.edu.au>
          interfaces   to  other  network    Panos Dimakopoulos
          based     spooling     systems.                   <dimakop@cti.gr>
          Finally,    documentation   and    Angus Duggan
          automated  management continues            <angus@harlequin.co.uk>
          to be pursued.                     Martin Forssen
             The network based interfaces             <maf@math.chalmers.se>
          for  client programs makes user    Michael Haardt
          developed  GUI  systems  almost          <u31b3hs@POOL.Informatik.
          trivial   to   develop.    PERL                    RWTH-Aachen.DE>
          scripts  and Tkl/Tk based front    Eric C Hagberg
          ends  can  be developed rapidly     <hagberg@mail.med.cornell.edu>
          and with little effort.            Paul Haldane
             The  development  of the PLP     <Paul.Haldane@edinburgh.ac.uk>
          and  LPRng  software  would not    George Harrach
          have  been possible without the            <ghharrac@ouray.Denver.
          aid and assistance of literally                      Colorado.EDU>
          hundreds  of  users.   The main    Stefano Ianigro
          developer  of  the software was          <w_stef@unibw-hamburg.de>
          Patrick    Powell    <papowell@    Helmut Jarausch
          sdsu.edu>,   and  Justin  Mason                     <jarausch@igpm
          <jmason@ iona.ie> generated the              .igpm.rwth-aachen.de>
          PLP4.0   distribution,  contri-    Michael Joosten
          buted  much  of the portability              <joost@ori.cadlab.de>
          code,    and    organized   the    Stuart Kemp
          plp@iona.ie mailing list.  Sub-             <stuart@cs.jcu.edu.au>
          scribe   by  sending  email  to    Hendrik Klompmaker
          plp-request@  iona.ie  with the        <Hendrik.Klompmaker@Beheer.
          word  subscribe  in  the  body.                        zod.wau.nl>
          Marty     Leisner     <leisner@    Rick Martin  <rickm@cs.umb.edu>
          sdsp.mc.xerox.com>, Ken Lalonde    Todd C. Miller
          <ken@    cs.toronto.edu>,   and      <Todd.Miller@cs.colorado.edu>
          Michael     Joosten     <joost@    Corey Minyard
          ori.cadlab.de>        performed          <minyard@wf-rch.cirr.com>
          invaluable  portability testing    Dorab Patel <dorab@twinsun.com>
          and   debugging  of  the  LPRng    Ed Santiago      <esm@lanl.gov>
          Alpha   Minus   release;   they    Bjarne Steinsbo <bjarne@hsr.no>
          discovered  and  provided fixes    Harlan Stenn  <harlan@pfcs.com>
          for literally hundreds of bugs.    Julian Turnbull
             LPRng   was   based  on  PLP          <jst@dcs.edinburgh.ac.uk>
          Release   4.0,   to  which  the    Bertrand Wallrich


          22                                           LPRng - Introduction






             <Bertrand.Wallrich@loria.fr>
          Greg Wohletz <greg@cs.unlv.edu>

                 Author Information

             Patrick               Powell
          <papowell@sdsu.edu>  is faculty
          in  the  Department of Computer
          and  Electrical  Engineering at
          San Diego State University, San
          Diego   CA   92182,   where  he
          teaches Computer Networks, Real
          Time  Systems,  and Distributed
          Computing.

                     References

          Pow95. Patrick A. Powell, LPRng
             -  Enanced  Printer  Spooler
             Software  Reference  Manual,
             Dept. of Electrical and Com-
             puter Engineering, San Diego
             State University, San Diego,
             CA        92182,       1995.
             FTP://ftp.iona.ie
             /pub/LPRng/,          FTP://
             dickory.sdsu.edu /pub/LPRng/
          Cam94. Ralph Campbell, ``4.3BSD
             Line     Printer     Spooler
             Manual,''    4.4    Berkeley
             Software  Distribution, Com-
             puter    Systems    Research
             Group, U.C. Berkeley, Berke-
             ley  CA, 1994.  USENIX Asso-
             ciation and O'Reilly & Asso-
             ciates, Inc.
          Pow95a. Patrick    A.   Powell,
             ``PLP   -  The  Public  Line
             Printer   Spooler  Reference
             Manual,''  PLP  4.0 Software
             Distribution,          1995.
             FTP://ftp.  iona.ie/pub/plp-
             4.0
          McL90. Leo  J.  McLaughlin III,
             RFC1179  Line Printer Daemon
             Protocol,  Internet Advisory
             Board, 1990.
          GNU91. GNU,  GNU General Public
             License, Free Software Foun-
             dation, Inc., 675 Mass. Ave.
             Cambridge, MA 02139, 1991.





          LPRng - Introduction                                           23
